@swarm said in pfSense as OpenVPN client keeps routing random websites through VPN server (which don't get past the VPN gateway):

Hey @bmeeks . Appreciate your answer. I decided to delete and reconfigure the client to see what happens. I checked the boxes to both not pull routes and bar the server from adding routes to the local routing table. Forgot to do it when setting up the client initially so I edited the original config afterwards, if it makes any difference. Is it possible some of the routes are still there in the table and won't go away? Any way to check that? The problem still persists and I think it's because of something being cached where it shouldn't be.

You may need to flush the routing table. If the firewall is not a business-critical item (meaning it's just your home network or similar), I would just reboot pfSense to be sure everything "cached" is flushed.

other unique indicators?

Other then already mentioned, use tls-crypt...

@sepp_huber said in OpenVPN 2.4.4: Cannot connect with external CRL:

default_crl_days

One pitfall for me was, that "default_crl_days" must be set in the environment where the CRL is generated and NOT on the pfSense instance.

Which is just logical ;-)

It has no concept of "prioritization". It will keep trying the next server in the list if it gets disconnected or times out. Assuming it respects multiple duplicate entries, that may help, but ultimately it means that it will try the first one twice and then the second if the first two tries timeout.

@calvinsteel said in OpenVPN can't connect on Windows 8:

I have read too many guides.
https://www.vpngate.net/en/howto_l2tp.aspx
https://www.expressvpn.com/what-is-vpn/protocols/l2tp
https://www.purevpn.com/what-is-vpn/protocols/l2tp
But still nothing.

All wrong.
The sites you mentioned are companies that offer VPN services.
They have a VPN server that you can access with a "client", like your Windows 8 PC.

I advise you to start with https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html

Then, stop reading, and look at these https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos - take the 2, 3 VPN "server" videos.

Btw : install this package :

599a7906-c802-49af-a0af-27aa8ba0a649-image.png

When you finished setup your OpenVPN? server, and added at least one "client" (the visitor), you go to " OpenVPNClient Export Utility" and select :

939d1fa5-8058-4e0e-ac41-b489c424730e-image.png

Take that zip file, bring it to you Windows 8 PC, install and go.

thx

@Rico Clients connected to the WAN_VPN get directed to Site B as desired but the other clients lose WAN. If I disable interface, WAN returns.

I worked around it by setting applicable firewall rules on LAN to use the Advanced->Gateway->WAN but there must be a different solution. Why would the default gateway WAN not be used?

Hi @jimp I have the same issue and updated the redmine: https://redmine.pfsense.org/issues/8142

As you can see I have full control over the VPN server (and options) so I can do whatever test/log is needed in order to sort out the issue.

On the client, are the needed 'cert' file present and found and loaded by the OpenVPN client ?

From what I make of it, it can't find the needed cert info.

Also : use the Netgate official videos (Youtube) to check you config with what you see in the videos.

Well, finally I could manage to do what I want. Due to a missing gateway entry in /etc/network/interfaces (Ubuntu) I was not able to connect properly.

No, that's not the case. They are bound to the individual WAN gateways. I've attached a few pictures. You can see in the OpenVPN clients list that they are each bound to separate WAN interfaces. The gateway list shows that one of the WANs is down but both VPN tunnels are up. The VPN status page shows that both are up but doesn't show the local IP address for the one with the gateway that is down. (I can see on the server end that both connections come from the same IP)

EDIT to add: Each connection has a separate client cert so when I look on the server status I can also tell both are connected because both common names are used.

alt text
alt text
alt text

@Derelict I've looked in the firewall, but see no denied connections. If i had to create such a rule, how would you do that?

Edit: You've got to be kidding me, all these headaches for this. All you have to do is add the vpn subnet to "smb-in". I'm so dumb.

So you want so use pfSense just as OpenVPN server behind the comcast and nothing else? That would be a waste. ;-)
And you have to mess around with manual adding routes to the comcast and so on.
Why not use pfSense as full Firewall/Router?

-Rico

No idea about this old howto, better follow the latest official documentation: https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html

-Rico

So what I discovered is that the no protocols are being set (checked) for the TAP-Windows Adapter during installation of the OpenVPN client. Why would that all of a sudden change when nothing else changed from the OpenVPN end? Still using same process. Still using same version of client, etc.